Aaron Brazell has posted that a certain WP plugin has a vulnerability. The plugin has been fixed and a new release is here. I commented over there twice and asked what I consider to be two fair questions. I was subscribed to the comments so returned when some were made. This comment sticks out:
These plugins can be very dangerous. I think the WordPress culture is to install as many plugins as possible without doing a ton of research.
- What is dangerous ?
- Is there a bad combination ?
- What should we not mix ?
- How can we tell what is good and what is bad ?
- Can we test these plugins to find out ?
- Who should we trust and how do we know we can trust them ?
- How much research is enough ?
- Should we not ever use plugins ?
- Is it a permissions problem every time ?
- What is “Best Practice” ?
- Which plugins do you think are bad ? Why ? Have your changed yours if you use it ?
The reason the above is important is because making blanket statements is not helpful. Another reason is that people doing support for the product will be on the receiving end of the “Are they dangerous ?” questions. It is they who spend the time helping and it is they who should be armed with the knowledge to advise and even try to make the situation better.
So for those coders who think that “These plugins can be very dangerous” here’s a challenge: Answer at least all of my questions above. Write it so forum helpers and others can use the knowledge positively. Write it to show you know. Write it to benefit WordPress. Improve the culture. Blog it.